With the development of increasingly complex systems, policies are widely used to allow users a level of customization and automation of a system without the need for rebuilding or restarting. Existing policy-based management systems (PBNM or PBMS) define customization for access control, obligated behavior, and/or flow control, but do not address architecture security. Most existing policy systems have a centralized approach to security and are defined with centralized policy control, where security is provided by the network authentication process, though some may utilize authentication information as part of the policy condition. Typically, both connectivity and trust are assumed, allowing the deployment of a centralized or hierarchical system for both distribution and evaluation of policies. Generally, one trusted node is assumed to exist in the PBNM. However, any node in the network may be an undetected attacker.
In the established Policy Decision Point (PDP) to Policy Enforcement Point (PEP) model, e.g., IETF's COPS-PR and NetConf for obligation policies, such as Smart Firewalls for authorization policies, policy decisions are made at a logically central point and then each decision is dispatched to the endpoints. Existing systems attempt to secure the PDP-to-PEP communication with transport-level security and user-level authentication (e.g., ssh for NetConf). The hierarchical paradigm has been adapted for use in MANETs, by providing dynamic service discovery and redundancy.
In an alternative approach, policies are created and processed centrally on the node rather than being isolated by application.
Any dispatching of policy decisions over the network increases chances of decision hijacking or interference and allows hostile network traffic observers to perform traffic analysis and deduce system behavior. Since the policy decision is made by one node, an attacker can target one node to compromise the whole network. Additionally, making policy decisions for an entire node from a single PDP increases the ability of an attacker who compromised a single application to compromise an entire node. Both policy distribution and policy enforcement are protected, at best, only by transport-level security, and authenticated only at the user level. The protection is insufficient in a hostile environment and authentication is too coarse-grain for a secure network with application-specific policies.
Typically, most policy languages support any combination of conditions. A potential security concern is implicitly allowing unexpected conditions when using the negate operation in the condition.
To illustrate this concern, the following is a sample policy condition. In a system with only “blue” and “purple” tracks, this policy condition allows only “blue” tracks to join the group A, B, or C. However, when a new track, say “red”, is introduced to the system, the policy implicitly permits both the “red” and “blue” tracks to join the group, which is potentially undesirable.
...Conditions : (request == ”join” ) &&( group == ”A” ∥ group == ”B” ∥ group == ”C” ) &&( track != ”purple” ) −> ”true” ;...
Accordingly, to provide a high-security MANET, several new challenges are identified for the design of its PBMS.
First, strict enforcement of communication restrictions necessitates a highly decentralized network management, even within a node, with a PBMS instance for each container, shared resources and secure infrastructure. This in turn creates more pressure on the resource consumption of a given instance, as node resources are typically scarce.
Second, high security requires explicit protection of policy integrity in transit, authentication of policy creators and authorization before a policy is enforced.
Third, policies must be made available to the PBMS instances in a timely manner to ensure enforcement. Given the dynamic nature of community building block creation and the intermittent connectivity in MANETs, this requires appropriate policy distribution mechanisms.
Fourth, the general policy deconfliction problem is complicated by the fully decentralized nature of policy creation and enforcement, and by the need to deconflict policies for a particular communication domain against shared resource and node policies within each node.
Thus, there exists a need for a PBNM system that is resilient to insider and external attacks. An inventive solution to this need includes identification of the security, performance and usability requirements of PBMS for high-security MANETs, and architectural and design solutions to meet these requirements.